Two more security vulnerabilities

Microsoft are having quite a month of it. Today two new security vulnerabilities have been issued. This brings to three the number of outstanding security holes with no available patches.

They are:

• Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Code Execution
  
• Vulnerability in PowerPoint Could Allow Remote Code Execution
  
• Vulnerability in Windows Shell Could Allow Remote Code Execution

Keep an eye on the powerpoint one. At the time of writing it may be the target of a zero day exploit. Personally I don't think we will see another out-of-band patch release from Microsoft but I do expect to see a high number of security patches on October 10th.

MS06-055 Released plus other patching updates

Microsoft have released MS06-055 which is an out of band release specifically targeted to fix the vulnerability in the VML (Vector Markup Language) in Internet Explorer.

This security patch should be applied as soon as possible as there is exploit code out on the web. Whilst not widespread it could become more exploited as time goes on.

At the same time it's worth noting the other issues and security patches Microsoft have deployed:

MS06-049 has been re-released. This update doesn't add any additional security protection but it does fix the bug that caused NTFS compressed files to become corrupted.

There is also an outstanding security advisory:

925444 is a vulnerability in Direct-X

For non-Microsoft patches we have the version 1.5.0.7 of Firefox being released which fixes quite a few security holes.

And finally there is an update to Adobe Flash Player

Is everyone keeping up with all these? I suspect not because most of you will be using SUS or WSUS to deploy patches and will miss out on things like the Flash Player security hole. Always remember you need to keep your applications patched just as much as your Operating System!



Expect October to be an interesting and full month for patches.

Windows Mobile Emulation

At the Microsoft Messaging & Mobility User Group meeting last week, a demo of Exchange 2007 mobile messaging policies was show. Using Exchange 2007 policies it was shown how a mobile device could be remote wiped the NEXT time it tried to sync.

The really interesting thing about this demo was that it featured a mobile emulator device rather than real hardware. This caught my attention because I didn't even know Microsoft HAD such a thing as a mobile device emulator! A quick trip around Microsoft's site showed several add ins for Visual Studio but no actual device emulator download.

After some heavy use of Google I managed to find what I was after and piece it all together. Getting the mobile emulator up and running is not as simple as it could be but for anyone interested in using the mobile emulator software this is how I got it working.

1. Download the following files:

standalone_emulator_V1.exe
efp.msi
CTP_Setup_NoNetFX.msi
netsvwrap.msi

You will also need a copy of Active Sync 4.x or higher. I'm using 4.2 which is the latest and this works like a charm.

2. Install the following:

standalone_emulator_V1 - This is the actual emulator
efp.msi - EFP contains the actual images
ntssrvsrap - Contains a networking driver
ctp_setup_nonetfx - Provides an emulator manager that is required to 'cradle' the device.

3. Click on Start -> All Programs -> Microsoft Windows Mobile 5.0 MSFP Emulator Images -> Pocket PC Coldboot.

4. Configure and mess around with the pocket pc

5. To sync just launch the Device Manager (Start -> All Programs -> Microsoft Windows Mobile 5.0 MSFP Emulator Images -> Device Emulator Manager)

6. Click on the GUID for your device (you might have to mess around with this if you have both the smartphone and the pda running). Click on Actions -> Cradle

7. You can now use ActiveSync to sync with your Exchange server as long as the connection in Active Sync is set to DMA.

8. Finally, to save your settings click on File -> Save State in the emulator. This will allow you to use the savestate icon options under Microsoft Windows Mobile 5.0 MSFP Emulator Images.



Enjoy!

Issue with MS06-049 and NTFS compression

Microsoft have announced that there is a bug with the MS06-049 patch when compressing individual folders under Windows 2000.

From reading the bulletin it seems that whatever driver is used to read the contents of the compressed file is having some problems and returns junk. The actual data is unaffected as uncompressing the folder fixes the problem.

Once again, This seems to be a poor show on Microsoft's part as stuff like this should be tested by them. A fix for the problem is due 'soon'. Probably prior to the 8th October patching cycle.

MM&M User Group Inaugural Meeting

I had the good fortune to be invited to Microsoft in London's Soho for the inaugural meeting of the MM&M UG (Microsoft Messaging & Mobility User Group UK).

This group has been created in order to encourage users in the UK to share knowledge and tips on Microsoft Messaging platforms so things it's main focus is on Exchange server.
The session I went to in London was fairly well attended for a first meeting. About 20 people showed up to see three presentations ranging from an overview of Exchange 2007 to a live demo of some of the text-to-voice capabilities of Exchange 2007.

The meeting did demonstrate that Microsoft really do 'eat their own dogfood' with Eileen Brown (Microsoft Technology Evangelist) hitting a stumbling block for a couple of minutes because the Exchange server her test account was on had been upgraded!

A couple of demos showed some nice features of Exchange 2007 - Something that's new is the ability to set policies on mobile devices so that if a mobile device is stolen it can be automatically wiped on the next sync. This wasn't demonstrated directly but we did see it in a movie file and it looked quite impressive.

Obviously, a lot of the new features in Exchange 2007 have been in other products for a while now but Exchange puts them in the right place - On the mail server where you can have all your messaging and messaging policies in one place.

The final thing that came out of the meeting was the information that Microsoft are removing support for public folders. Everything will link into SharePoint so if you have data in public folders you will need to consider going down the sharepoint route. This is something that will happen over a number of years so public folder support *MAY* be in Exchange 2007. I've not installed it yet so cannot comment on that.

Overall the meeting was quite good. If you are in the UK and heavily involved in Exchange server you could do a lot worse than register on the MM&M UG site.

Odd thoughts

If you take all the tarmac used in speed bumps across London and put it together in one spot - What size speedbump would you have?

Idle thoughts.........

Event log links in Windows 2003 promote bad practice

I was troubleshooting an issue with a Windows 2003 domain controller earlier today and one of the things I often do is take a look in the event logs to see what's going on. In troubleshooting this issue I saw the event log entry show below - Computer names have been removed for obvious security reasons.


Note the little hyperlink at the bottom of the image of the error message.

If you click on this you get asked if you want to send some information to Microsoft. If you do you get a nice little customised help page which explains what the error is and gives some trouble shooting tips - All nice and innocent?

Not really. Think about this. Microsoft are PRESENTING you with a link to click on. That link gives you a HTML page and *THAT PAGE* is rendered using the dodgy DLL's that Internet Explorer uses. For all intents and purposes the page that is rendered in the Help and Support Center is an Internet Explorer page and one thing you DON'T want people doing is browsing the internet from your supposedly secure server!

EDIT - It's been pointed out to me that the best way to access these logs is from a workstation connected to the network. This way you can use those links without compromising your server. OK, This is fine for those servers that have not been seriously hardend but for those that have locked down I still feel this could be an avenue for attack.

MS Word Zero-Day Vulnerability

Today Microsoft released an annoucement of a zero day MS Word exploit this is going to be patched on Tuesday we they have their monthly patching cycle.

The security advisory can be found here.

Interestingly enough, the MS Team security blog DID have a posting with this link but it seems to have vanished.......